“Red Flag Rules” 609 Will Impose Additional Administrative Burdens on Hospitals
Tuesday, August 4, 2009
identity protection, red flag rules, ftc, financial institutions
Print Mail Download i

In 2007, the Federal Trade Commission (FTC) issued "Red Flag Rules," which require financial institutions and other creditors that maintain covered accounts to develop and implement identity theft prevention programs. These Red Flag Rules likely apply to hospitals and other health care providers. The original deadline for creditors to comply with the Red Flag Rules was November 1, 2008, but this deadline has been extended several times. Creditors must now comply by August 1, 2009.

According to the FTC’s definition, a creditor is any entity that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew or continue credit. A covered account is an account used mostly for personal, family or household purposes and that involves multiple payments or transactions. A covered account is also any account for which there is a foreseeable risk of identity theft. Although some issues surrounding the definition of creditor are not yet resolved, the FTC has taken the position that a hospital or other health care provider that bills for services after they are rendered or that accepts insurance but holds the customer ultimately responsible for payment is a creditor subject to the Red Flag Rules.

A "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of identity theft. Examples of Red Flags include:

  • documents provided for identification appear to have been altered or forged;
  • information on the identification provided by a person is not consistent with information provided by that person when making a credit application;
  • an application appears to have been altered or forged or gives the appearance of having been destroyed and reassembled; and
  • a person opening a credit account fails to provide all required personal identifying information.

The Red Flag Rules require a covered entity to develop and implement a written identity theft prevention program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Red Flag Rules are flexible, and they allow the creditor to develop a program that is appropriate to the size and complexity of the company and the nature and scope of its activities. The program must include reasonable policies and procedures to:

  • identify Red Flags;
  • detect Red Flags;
  • respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
  • ensure that the program is updated periodically to reflect changes in risks to customers and the business from identity theft.

Hospitals should begin preparing to comply with the Red Flag Rules by developing an identity theft prevention program in advance of the August 1, 2009, deadline. Given the stringent HIPAA privacy requirements that hospitals and other health care providers must comply with, there may already be systems in place that satisfy some of the Red Flag Rules. In developing the required program, hospitals should consider Red Flags most likely to present themselves in the health care industry, such as claims that services billed for were not actually provided, claims that services were billed under the wrong patient name, inconsistencies between records of treatment and a physical examination of a patient, and claims that a patient or the party billed has been a victim of identity theft. Hospitals should also incorporate procedures into their programs for carefully verifying insurance coverage information and change of address requests.

Although the details of each hospital’s program will vary based on the particular nature of its business, these guidelines should provide a starting point for developing the required identity theft prevention program. Hospital administrators should monitor the status of the Red Flag Rules in advance of the August 1, 2009 effective date and ensure that they have a program in place by the deadline if there are no further delays in the application of the rules.

© 2009 Poyner Spruill LLP. All rights reserved.
© 2009 Poyner Spruill LLP. All rights reserved.

Current Legal Analysis

More from Poyner Spruill LLP

Administrative Check-Up on Participant Plan Loans
by: Employment Law
Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know – and Do
by: Employment Law
Substantial Risk of Forfeiture: What Non-Profit and Governmental Employers Need to Know About IRS Guidance on Section 457 - Part 2
by: Employment Law , Kelsey H. Mayo
Deferred Compensation: What Non-Profit and Governmental Employers Need to Know About IRS Guidance on Section 457 - Part 1
by: Employment Law
NLRB Continues to Target Employers’ Social Media Policies
by: Employment Law
Hospice Providers – Step Up to the “MIC”
by: Iain M Stauffer
Final CMS Rule on the Reporting and Returning of Medicare Overpayments is a Wake-Up Call for Physicians
by: Wilson Hayman
Don't Be a Target -- Retirement Plan Fees and Expenses
by: Employment Law
EEOC Files First Two Lawsuits Challenging Sexual Orientation Discrimination
by: Employment Law
One Year Later: Avoiding Unfavorable Risk Weighting of Acquisition, Development, and Construction Loans for Commercial Real Estate Projects
by: Christopher S. Dwight

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins